A botnet is a group of Internet-connected computing devices communicating with other similar machines in an effort to complete repetitive tasks and objectives. Botnets can include computers whose security defenses have been breached and control conceded to a third party. Each such compromised device, known as a “bot,” may be created when a computer is penetrated by software from a malware (i.e., a malicious software) distribution. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based network protocols such as Internet Relay Chat (IRC), Hypertext Transfer Protocol (HTTP), etc.
Computers can be co-opted into a botnet when they execute malicious software. This can be accomplished by luring users into making a drive-by download, exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse program, which could come from an email attachment. This malware typically installs modules that allow the computer to be commanded and controlled by the botnet's operator. After the software is executed, it may “call home” to the host computer. When the re-connection is made, depending on how it is written, a Trojan may then delete itself, or may remain present to update and maintain the modules. Many computer users are unaware that their computer is infected with bots.
Botnets can include many different computers (e.g., hundreds, thousands, tens of thousands, hundreds of thousands, or more) and the membership of a botnet can change over time.
One type of attack perpetrated by botnets is a distributed denial-of-service (DDoS) attack, in which multiple systems submit as many requests as possible to a single Internet computer or service, overloading it and preventing it from servicing legitimate requests.
The geographic dispersal of botnets typically means that each participant must be individually identified, which limits the benefits of filtering mechanisms. Although a service provider could choose to block all traffic during a botnet attack, this negatively impacts existing users of the service. Further, a service provider could choose to allow all traffic to continue to be processed, but this can significantly affect its quality of service to its regular users, and potentially even “crash” the service altogether. Moreover, it can be tremendously difficult to determine which requests for a service are malicious and which are not, making it very challenging to attempt to selectively deal with only the malicious traffic.
Accordingly, improved techniques for identifying botnet traffic and protecting services from botnet attacks are desired.